The Apollo Incident: Summary.
Thomas Roessler
ABSTRACT
apollo.honeyp.edu was successfully attacked by an out­
side intruder who apparently planned to use the system as a
base of operations for further attacks, and for activities
on the Internet Relay Chat Network. The attacker tried to
harvest user passwords, but was not successfull at this.
There is no indication that apollo was actually used to
attack remote systems.
1. Abridged Time Line.
apollo.honeyp.edu was attacked on Nov 7 2000, 23:11:51 CST. The
intruder exploited a publicly known security hole and installed a
simple back door on the system, which was later removed.
The intruder returned at 07:28 CST on Nov 8. He performed different
kinds of activities:
· The intruder re-installed various system software packages in an
attempt to harden the system against further attacks.
· The intruder replaced various system utilities with versions
which would help to conceal his activities.
· The intruder compiled and installed a version of the Secure
Shell server which would permit him to log in using a special
password. As a side-effect, this version of the Secure Shell
server would log any passwords entered.
· The intruder installed and ran an IRC client, and tried to
install a "robotic" IRC client. Apparently, the attacker planned
to use apollo for various IRC-related activities.
Thomas Roessler 27 January 2001 [Page 1]
Apollo Incident Summary
· The intruder left behind various tools which could be used to
attack other systems, using apollo as his new base of
operations.
· A network sniffer was run.
The intruder left the system at 08:06 CST.
The system's state was frozen at approximately 20:00 CST.
2. Impact.
No user passwords were collected by the intruder. There are no
indications that the host was actually used to attack other systems.
An in-depth investigation of the incident took 37 hours.
3. Notes.
The break-in could have been avoided by applying vendor-supplied
software patches in a timely manner. The weakness used had been
publicly known since July 2000. The attack tool used was published
on August 5. A vendor-supplied upgrade was available since July 17,
2000. In order to avoid future break-ins, steps should be taken to
ensure proper software updates and systems administration.
Thomas Roessler 27 January 2001 [Page 2]